Git Product home page Git Product logo

turbot / steampipe-mod-terraform-aws-compliance Goto Github PK

View Code? Open in Web Editor NEW
23.0 10.0 3.0 4.26 MB

Run compliance and security controls to detect Terraform AWS resources deviating from security best practices prior to deployment using Powerpipe and Steampipe.

Home Page: https://hub.powerpipe.io/mods/turbot/terraform_aws_compliance

License: Apache License 2.0

HCL 100.00%
sql steampipe steampipe-mod terraform aws security compliance hacktoberfest powerpipe powerpipe-mod

steampipe-mod-terraform-aws-compliance's Introduction

Terraform AWS Compliance Mod for Powerpipe

Important

Powerpipe is now the preferred way to run this mod! Migrating from Steampipe →

All v0.x versions of this mod will work in both Steampipe and Powerpipe, but v1.0.0 onwards will be in Powerpipe format only.

140+ compliance and security controls to test your Terraform AWS resources against security best practices prior to deployment in your AWS accounts.

Run checks in a dashboard:

image

Or in a terminal:

image

Documentation

Getting Started

Installation

Install Powerpipe (https://powerpipe.io/downloads), or use Brew:

brew install turbot/tap/powerpipe

This mod also requires Steampipe with the Terraform plugin as the data source. Install Steampipe (https://steampipe.io/downloads), or use Brew:

brew install turbot/tap/steampipe
steampipe plugin install terraform

Finally, install the mod:

mkdir dashboards
cd dashboards
powerpipe mod init
powerpipe mod install github.com/turbot/steampipe-mod-terraform-aws-compliance

Browsing Dashboards

Start Steampipe as the data source:

steampipe service start

Start the dashboard server:

powerpipe server

Browse and view your dashboards at http://localhost:9033.

Running Checks in Your Terminal

Instead of running benchmarks in a dashboard, you can also run them within your terminal with the powerpipe benchmark command:

List available benchmarks:

powerpipe benchmark list

Run a benchmark:

powerpipe benchmark run terraform_aws_compliance.benchmark.s3

Different output formats are also available, for more information please see Output Formats.

Common and Tag Dimensions

The benchmark queries use common properties (like path and connection_name) and tags that are defined in the form of a default list of strings in the variables.sp file. These properties can be overwritten in several ways:

It's easiest to setup your vars file, starting with the sample:

cp steampipe.spvars.example steampipe.spvars
vi steampipe.spvars

Alternatively you can pass variables on the command line:

powerpipe benchmark run terraform_aws_compliance.benchmark.s3 --var 'tag_dimensions=["Environment", "Owner"]'

Or through environment variables:

export PP_VAR_common_dimensions='["path", "connection_name"]'
export PP_VAR_tag_dimensions='["Environment", "Owner"]'
powerpipe benchmark run terraform_aws_compliance.benchmark.s3

Open Source & Contributing

This repository is published under the Apache 2.0 license. Please see our code of conduct. We look forward to collaborating with you!

Steampipe and Powerpipe are products produced from this open source software, exclusively by Turbot HQ, Inc. They are distributed under our commercial terms. Others are allowed to make their own distribution of the software, but cannot use any of the Turbot trademarks, cloud services, etc. You can learn more in our Open Source FAQ.

Get Involved

Join #powerpipe on Slack →

Want to help but don't know where to start? Pick up one of the help wanted issues:

steampipe-mod-terraform-aws-compliance's People

Contributors

c0d3r-arnab avatar cbruno10 avatar dboeke avatar khushboo9024 avatar madhushreeray30 avatar misraved avatar parthai avatar priyanka-chatterjee-2000 avatar rajlearner17 avatar subhajit97 avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Forkers

cli-github-dev bridgecrew-perf7 jchrisfarris

steampipe-mod-terraform-aws-compliance's Issues

Add additional services specific controls

Is your feature request related to a problem? Please describe.
A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]

Describe the solution you'd like
A clear and concise description of what you want to happen.

Describe alternatives you've considered
A clear and concise description of any alternative solutions or features you've considered.

Additional context
Add any other context or screenshots about the feature request here.

Add additional TF controls

Is your feature request related to a problem? Please describe.
A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]

Describe the solution you'd like
A clear and concise description of what you want to happen.

Describe alternatives you've considered
A clear and concise description of any alternative solutions or features you've considered.

Additional context
Add any other context or screenshots about the feature request here.

Add new control ses_configuration_set_tls_enforced

Is your feature request related to a problem? Please describe.
Add new control ses_configuration_set_tls_enforced

Describe the solution you'd like
A clear and concise description of what you want to happen.

Describe alternatives you've considered
A clear and concise description of any alternative solutions or features you've considered.

Additional context
Add any other context or screenshots about the feature request here.

Update benchmark and control tags for compatibility with dashboard page

Is your feature request related to a problem? Please describe.
A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]

Describe the solution you'd like
A clear and concise description of what you want to happen.

Describe alternatives you've considered
A clear and concise description of any alternative solutions or features you've considered.

Additional context
Add any other context or screenshots about the feature request here.

should there be a control to check ingress on security groups as well as

we have vpc_network_acl_allow_ssh_port_22_ingress but when scanning this example code (from https://spacelift.io/blog/iac-scanning) there was no complaint

resource "aws_security_group" "example_sg" {
  name        = "public_sg"
  description = "public security group"
  vpc_id      = aws_vpc.example_vpc.id
  ingress {
    from_port   = 22
    to_port     = 22
    protocol    = "tcp"
    cidr_blocks = ["0.0.0.0/0"]
  }

  egress {
    from_port   = 0
    to_port     = 0
    protocol    = "-1"
    cidr_blocks = ["0.0.0.0/0"]
  }
}

Add additional services specific controls

Is your feature request related to a problem? Please describe.
A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]

Describe the solution you'd like
A clear and concise description of what you want to happen.

Describe alternatives you've considered
A clear and concise description of any alternative solutions or features you've considered.

Additional context
Add any other context or screenshots about the feature request here.

Update mod.sp to address deprecation warning

Describe the bug
The current version of the mod returns a warning due to using the deprecated option version instead of min_version for the terraform plugin.

This issue can be trivially resolved by updating

  requires {
    plugin "terraform" {
      version = "0.0.5"
    }
  }

to

  requires {
    plugin "terraform" {
      min_version = "0.0.5"
    }
  }

Steampipe version (steampipe -v)
Example: v0.3.0

Plugin version (steampipe plugin list)
Example: v0.5.0

To reproduce
Steps to reproduce the behavior (please include relevant code and/or commands).

Expected behavior
A clear and concise description of what you expected to happen.

Additional context
Add any other context about the problem here.

Use the `attributes_std` column from table `terraform_resource` instead of `arguments` for better support for terraform state files

Currently, the controls use the argument column from table terraform_resource to get the resource attributes and perform the checks.

Based on the latest Terraform plugin changes, the plugin introduces 3 new columns for the table terraform_resource.

  • address - The absolute address of the resource. It will help identify the resources created using "count" or "for_each".
  • attributes - The resource attributes. Only populates in case of populating data from a terraform state file.
  • attributes_std - Similar to the existing arguments column and the newly added attributes column. The column will have the value either from the arguments column (in case of parsing the TF configuration file and TF plan files) or from the attributes column (in case of parsing TF state files).

The compliance controls will use the newly added attributes_std column instead of argument for better support for the terraform state file.

Add new controls

Is your feature request related to a problem? Please describe.
Add below new controls:

  • docdb_cluster_backup_retention_enabled
  • lambda_function_restricted_service_permission
  • neptune_cluster_backup_retention_enabled
  • neptune_db_clusters_copy_tags_to_snapshots_enabled
  • neptune_db_clusters_iam_database_authentication_enabled

Describe the solution you'd like
A clear and concise description of what you want to happen.

Describe alternatives you've considered
A clear and concise description of any alternative solutions or features you've considered.

Additional context
Add any other context or screenshots about the feature request here.

cloudfront_distribution_origin_access_identity_enabled query fails due SQL error

Describe the bug
A clear and concise description of what the bug is.

CloudFront distributions should have origin access identity enabled
cannot extract elements from an object (SQLSTATE 22023)

Steampipe version (steampipe -v)
Example: v0.3.0

Plugin version (steampipe plugin list)
Example: v0.5.0

To reproduce
Steps to reproduce the behavior (please include relevant code and/or commands).

Expected behavior
A clear and concise description of what you expected to happen.

Additional context
Add any other context about the problem here.

eks_cluster_endpoint_restrict_public_access result false +ve

Describe the bug
A clear and concise description of what the bug is.

The query > uses endpoint_public_access, which is moved to vpc_config under terraform Resource: aws_eks_cluster

Additionally,

  • it's missing a null check if not provided; the default remains **true**
    [endpoint_public_access(https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_cluster#endpoint_public_access) - (Optional) Whether the Amazon EKS public API server endpoint is enabled. Default is true

  • Also, it should check the public_access_cidrs match none other than 0.0.0.0/0

  • public_access_cidrs - (Optional) List of CIDR blocks. Indicates which CIDR blocks can access the Amazon EKS public API server endpoint when enabled. EKS defaults this to a list with 0.0.0.0/0. Terraform will only perform drift detection of its value when present in a configuration.

 vpc_config {
    subnet_ids             = [aws_subnet.named_test_resource1.id, aws_subnet.named_test_resource2.id]
    endpoint_public_access = true ### (Optional) Whether the Amazon EKS public API server endpoint is enabled. Default is true
    public_access_cidrs = ["0.0.0.0/0"] ### Accessible from internet
  }

Steampipe version (steampipe -v)
Example: v0.3.0

Plugin version (steampipe plugin list)
Example: v0.5.0

To reproduce
Steps to reproduce the behavior (please include relevant code and/or commands).

Expected behavior
A clear and concise description of what you expected to happen.

Additional context
Add any other context about the problem here.

Add common and tag dimensions across compliance queries

Is your feature request related to a problem? Please describe.
A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]

Describe the solution you'd like
A clear and concise description of what you want to happen.

Describe alternatives you've considered
A clear and concise description of any alternative solutions or features you've considered.

Additional context
Add any other context or screenshots about the feature request here.

Add additional services specific controls

Is your feature request related to a problem? Please describe.
A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]

Describe the solution you'd like
A clear and concise description of what you want to happen.

Describe alternatives you've considered
A clear and concise description of any alternative solutions or features you've considered.

Additional context
Add any other context or screenshots about the feature request here.

Controls should reference their query using `query = ` rather than `sql =`

It's simpler in code and readability to reference queries using the query = attribute rather than the sql = attribute.

This occurs throughout the mod, but as a specific example:

steampipe-mod-terraform-aws-compliance/controls/athena.sp

Lines 21 to 28 in 96ccc54

control "athena_database_encryption_at_rest_enabled" {
title = "Athena database encryption at rest should be enabled"
description = "Ensure Athena database is encrypted at rest to protect sensitive data."
sql = query.athena_database_encryption_at_rest_enabled.sql
tags = local.athena_compliance_common_tags
}

Could be changed from:

sql           = query.athena_database_encryption_at_rest_enabled.sql

to:

query         = query.athena_database_encryption_at_rest_enabled

Add additional services specific controls

Is your feature request related to a problem? Please describe.
A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]

Describe the solution you'd like
A clear and concise description of what you want to happen.

Describe alternatives you've considered
A clear and concise description of any alternative solutions or features you've considered.

Additional context
Add any other context or screenshots about the feature request here.

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.